Data Center Security Challenged by Configuration Issues

SAN FRANCISCO - RSA CONFERENCE 2014 - Not all security problems are caused by zero-day vulnerabilities; some are created accidentally.

Data centers are not immune to this reality. According to Michael Cotton, chief security architect at Digital Defense, common configuration and network architecture issues not normally viewed as problematic could be abused by a skilled attacker to wreak havoc. He presented his findings on the issue at the RSA conference this week in San Francisco.

"I [highlighted] a few different vectors; one is the use of reconfiguration of MAC addresses to bring rogue interfaces live onto a management segment and the ability to extract segment passwords from some central management software through the use of a fake baseboard interface," explained Cotton. "Attackers can then use the same mechanisms that datacenter operators use to quickly re-provision and reinstall systems through baseboard control; to instead shutdown and backdoor existing operating systems through offline modification to their hard drive partitions."

Data centers, he added, are somewhat unique in that they have a "blessed" remote-access side channel vector that comes standard on all rackmount hardware known as the 'out-of-band-management-agent' or 'baseboard-management-controller'. This controller typically handles tasks associated with physical access to a device and allows data center operators the ability to have a failsafe way to manage nodes regardless of what is going on with the primary operating system. Because of this, it is not limited by the security controls in place on the host operating system.

"These baseboards are typically placed on a special network segment known as the management network; so long as the integrity of the management network and its associated access control are maintained, everything is great and working as intended," he said.

But when those controls break down, problems ensue.

"The main takeaway for data center security is to focus on locking down management network borders and shared-NIC VLAN pivot points with the same intensive focus that operators put in to locking down external network boundaries," he said. "The reason this intensive focus is necessary is the management network not only has the ability to re-provision associated systems but to potentially backdoor them as well."

Many hardware vendors have removed dedicated NIC cards as an option for low-to-mid range hardware because many datacenter operators now hook all networking up to the same physical network segments and use VLAN access mechanisms to establish which interfaces should be talking on which logical network segment, he added. It is not uncommon, he said, for situations to occur where organizations are not being careful with shared NIC interfaces and misconfigured shared NIC interfaces live on network segments they should not be talking on.

"This means you can end up with 'wrong-submit' or 'cloaked' IP addresses which grant administrative access to machines through the baseboard but will not be detected during normal network audit procedures which only focus on auditing valid IP addresses," he told SecurityWeek.

He recommended that organizations be diligent about ensuring shared NIC interfaces either have their baseboard NIC completely disabled or talking on a separate VLAN network segment then the main NIC.

"Establish strict internal VLAN firewall rules on your management network segments; ones that cannot be bypassed with the sorts of raw socket techniques that a skilled attacker may be able to use on an local network segment, [and] lock down central management controllers to not authenticate to boards which claim to support only straight-key password authentication," he said.